Government and telecommunications sectors in Southeast Asia have become the target of a “sophisticated” campaign undertaken by a new advanced persistent threat (APT) group called Earth Kurma since June 2024.
The attacks, per Trend Micro, have leveraged custom malware, rootkits, and cloud storage services for data exfiltration. The Philippines, Vietnam, Thailand, and Malaysia are among the prominent targets.
“This campaign poses a high business risk due to targeted espionage, credential theft, persistent foothold established through kernel-level rootkits, and data exfiltration via trusted cloud platforms,” security researchers Nick Dai and Sunny Lu said in an analysis published last week.
The threat actor’s activities date back to November 2020, with the intrusions primarily relying on services like Dropbox and Microsoft OneDrive to siphon sensitive data using tools like TESDAT and SIMPOBOXSPY.
Two other noteworthy malware families in its arsenal include rootkits such as KRNRAT and Moriya, the latter of which has been observed previously in attacks aimed at high-profile organizations in Asia and Africa as part of an espionage campaign dubbed TunnelSnake.
Trend Micro also said that SIMPOBOXSPY and the exfiltration script used in the attacks share overlaps with another APT group codenamed ToddyCat. However, a definitive attribution remains inconclusive.
It’s currently not known as to how the threat actors gain initial access to target environments. The initial foothold is then abused to scan and conduct lateral movement using a variety of tools like NBTSCAN, Ladon, FRPC, WMIHACKER, and ICMPinger. Also deployed is a keylogger referred to as KMLOG to harvest credentials.
It’s worth noting that the use of the open-source Ladon framework has been previously attributed to a China-linked hacking group called TA428 (aka Vicious Panda).
Persistence on the hosts is accomplished by three different loader strains referred to as DUNLOADER, TESDAT, and DMLOADER, which are capable of loading next-stage payloads into memory and executing them. These consist of Cobalt Strike Beacons, rootkits like KRNRAT and Moriya, as well as data exfiltration malware.
What distinguishes these attacks is the use of living-off-the-land (LotL) techniques to install the rootkits, where hackers employ legitimate system tools and features, in this case, syssetup.dll, rather than introducing easily detectable malware.
While Moriya is engineered to inspect incoming TCP packets for a malicious payload and inject shellcode into a newly spawned “svchost.exe” process, KRNRAT is an amalgamation of five different open-source projects with capabilities such as process manipulation, file hiding, shellcode execution, traffic concealment, and command-and-control (C2) communication.
KRNRAT, like Moriya, is also designed to load a user-mode agent the rootkit and inject it into “svchost.exe.” The user-mode agent serves as a backdoor to retrieve a follow-on payload from the C2 server.
“Before exfiltrating the files, several commands executed by the loader TESDAT collected specific document files with the following extensions: .pdf, .doc, .docx, .xls, .xlsx, .ppt, and .pptx,” the researchers said. “The documents are first placed into a newly created folder named “tmp,” which is then archived using WinRAR with a specific password.”
One of the bespoke tools used for data exfiltration is SIMPOBOXSPY, which can upload the RAR archive to Dropbox with a specific access token. According to a Kasperksy report from October 2023, the generic DropBox uploader is “probably not exclusively used by ToddyCat.”
ODRIZ, another program used for the same purpose, uploads the collected information to OneDrive by specifying the OneDrive refresh token as an input parameter.
“Earth Kurma remains highly active, continuing to target countries around Southeast Asia,” Trend Micro said. “They have the capability to adapt to victim environments and maintain a stealthy presence.”
“They can also reuse the same code base from previously identified campaigns to customize their toolsets, sometimes even utilizing the victim’s infrastructure to achieve their goals.”
